A recent report by BleepingComputer has revealed that a new Linux encryptor was used in attacks against VMware ESXi environments as part of the ransomware-as-a-service operation known as RansomHub. This encryptor is believed to be based on the discontinued Knight ransomware and offers various features such as decryption of configurations, execution delays, progress information logging, … Read more
The RansomHub ransomware operation, launched in February 2024, targets VMware ESXi environments in enterprise attacks. It is a ransomware-as-a-service (RaaS) operation linked to other ransomware groups and has affected over 45 victims in 18 countries. A specialized ESXi variant of RansomHub was discovered by Recorded Future in April 2024, showing overlaps with the now-defunct Knight … Read more
A Chinese threat actor known as UNC3886 has been using open source rootkits Reptile and Medusa to hide on VMware ESXi virtual machines while stealing credentials and executing commands. Mandiant has been tracking UNC3886’s activities against government organizations, including attacks exploiting zero-day vulnerabilities in Fortinet and VMware products. UNC3886 has recently targeted organizations in North … Read more
_Skorzewiak_Alamy.jpg?disable=upscale&width=1200&height=630&fit=crop&w=1200&resize=1200,630&ssl=1 "New variation of Mallox ransomware focusing on privileged VMWare ESXi environments")
The Mallox ransomware group is targeting VMware ESXi environments with a new Linux variant that specifically aims to deploy its payload on machines with high-level user privileges, as discovered by researchers at Trend Micro. Mallox, also known as Fargo and Tohnichi, have been active since June 2021 and have infected hundreds of organizations worldwide, primarily … Read more
Researchers at Trend Micro have analyzed a new Linux variant of the TargetCompany ransomware, which uses a custom shell script to deliver and execute the payload targeting VMware ESXi environments. This variant exfiltrates victim information to two different servers, enhancing the ransomware actors’ ability to disrupt operations and increase ransom payment chances. The Linux-based variant … Read more
A new Linux variant of the TargetCompany ransomware family has been identified by researchers, focusing on VMware ESXi environments and using a custom shell script to deliver payloads. The ransomware, previously known as Mallox, FARGO, and Tohnichi, emerged in June 2021 targeting database attacks primarily in Taiwan, South Korea, Thailand, and India. Antivirus company Avast … Read more
N-able, Inc. has announced that Cove Data Protection™ has enhanced its disaster recovery options with the introduction of Standby Image for VMware ESXi. This feature also supports Hyper-V and Microsoft Azure, offering MSPs and IT professionals a more efficient and cost-effective Disaster Recovery as a Service (DRaaS) solution for their clients. The update aligns with … Read more
BleepingComputer recently reported on a series of attacks using a Linux variant of the TargetCompany ransomware, which is also known as FARGO, Mallox, and Tohnichi. These attacks specifically targeted VMware ESXi environments and were carried out by the ransomware affiliate “Vampire,” who is also suspected of targeting vulnerable Microsoft SQL servers. The attackers used a … Read more
A new variant of the TargetCompany ransomware family has been discovered targeting VMware ESXi environments using a custom shell script for payload delivery and data exfiltration. This marks the first time such a technique has been observed in the wild. The Linux-based variant was specifically designed for the VMware ESXi environment. Operating since June 2021, … Read more
Sygnia cybersecurity experts have observed a rise in ransomware attacks targeting virtualized environments, particularly VMware ESXi infrastructure. Threat actors are exploiting vulnerabilities and misconfigurations in virtualization platforms to exfiltrate data before encrypting systems. Notorious ransomware groups such as LockBit and BlackMatter are using this attack vector. These attackers shut down virtual machines before encryption, making … Read more